API-driven enrichment and monitoring workflows with the beta Validin Python SDK
Takeaways
- Validin is releasing a beta Python SDK for API-driven enrichment and monitoring workflows.
- The SDK supports bulk enrichment, Lookalike searches, and campaign tracking at scale.
- We used the SDK internally to monitor a mobile smishing campaign targeting major carrier brands.
- The SDK is open source, and we welcome feedback from analysts and developers.
This month we’re releasing the Validin Python SDK. It helps analysts build large-scale monitoring and bulk enrichment workflows with Validin’s API. In this blog, we’ll cover how to get started and showcase how we’ve been using it internally to monitor a mobile smishing campaign.
Getting started with the SDK
The package is hosted on PyPI and can be installed with the command pip install validin-sdk.
Read the getting started guide in our GitHub repository for quick instructions on how to get up and running with the SDK.
Engineering a Monitoring Script for a Large-Scale Mobile Smishing Campaign
In January 2026, a Validin team member received a phishing text from an icloud[.]com email address claiming that their T-Mobile rewards points were about to expire with a malicious link to redeem points.
Figure 1. A screenshot of the initial smishing text received on January 12.
Clicking the link led the user to a fake T-Mobile rewards website that collects payment-card details.
![Figure 2. A screenshot of https[:]//att[.]aocxi[.]icu/pay, which hosted the same kit. Source: https://urlscan.io/result/019bbe4f-f234-739a-861a-fa8b26af46a7/](/images/validin_python_sdk_for_threat_monitoring/image2.png "Figure 2. A screenshot of https[:]//att[.]aocxi[.]icu/pay, which hosted the same kit. Source: https://urlscan.io/result/019bbe4f-f234-739a-861a-fa8b26af46a7/")
Figure 2. A screenshot of https[:]//att[.]aocxi[.]icu/pay, which hosted the same kit. Source: https://urlscan.io/result/019bbe4f-f234-739a-861a-fa8b26af46a7/
Examining the host response history of t-mobile[.]vgyva[.]icu revealed that the server configuration changed rapidly in the hours after it first became accessible from the public internet.
![Figure 3. A banner hash history of t-mobile[.]vgyva[.]icu.](/images/validin_python_sdk_for_threat_monitoring/image3.png "Figure 3. A banner hash history of t-mobile[.]vgyva[.]icu.")
Figure 3. A banner hash history of t-mobile[.]vgyva[.]icu.
Pivoting on the final banner hash in this series of rapid configuration changes, 558ef579a9adebb562d2b5f3fbdeeac3, yielded a small group of indicators with similar naming patterns, suggesting DGA-like behavior with mobile-provider-themed subdomains:
t-mobile[.]vgyva[.]icu
att[.]yguaf[.]icu
verizon[.]cfgqv[.]icu
t-mobile[.]cfdlrw[.]icu
t-mobile[.]fxcmsx[.]icu
verizon[.]celiq[.]icu
t-mobile[.]cfdkuy[.]icu
Continued Malicious Texts
After the initial brief exploration, the Validin team member continued to receive malicious texts from various email addresses with similar lures and URLs.
Figure 4. Three separate but similar malicious text messages received on different days from different email addresses.
Notably, none of these domains appeared in the smaller initial set we uncovered through the banner hash pivot. In addition, the DGA-like nature of these domains and the frequency of the texts implied a much larger campaign than the seven domains we initially uncovered. We could continue using the banner hash pivoting technique for each new domain received through the text messages. However, this method only revealed small subclusters and produced inconsistent results, making it difficult to track the campaign at scale.
Regex Hunting with Validin Lookalikes
After examining the malicious domains we initially uncovered, along with the additional domains received by the Validin team member, we derived the following regex pattern to match carrier-themed subdomains:
/^(t-mobile|att|verizon)\.([a-z]{5,6})\.(icu|cc)$/
With Validin’s Lookalike search, we can search up to the last 180 days of newly registered domains. Executing the search reveals the following results:
Figure 5. The results of the regex pattern search.
Triaging a couple of these domains by scanning their /pay route showed behavior consistent with the original indicators. During further analysis, we found that many of these domains shared the registrar Gname.com Pte. Ltd.. Using this fact, along with the regex pattern, we can create a true monitoring script with Validin’s Python SDK.
Using the Python SDK to Monitor This Campaign
After setting an API key and API endpoint with the VALIDIN_API_KEY and VALIDIN_BASE_URL environment variables, we can initialize a client:
from validin import Client
client = Client()
From here, we can launch a Lookalikes search:
lookalikes_results = client.lookalikes(
"/^(t-mobile|att|verizon)\\.([a-z]{5,6})\\.(icu|cc)$/",
lookback=1,
)
Once we have the results, we can launch a bulk registration enrichment query with the domains of each record:
registration_results = client.registration_history(
lookalikes_results.keys
).aggregate()
Finally, we can filter these results by registrar to narrow our list of candidate domains:
filtered_results = [
rr for rr in registration_results
if rr.registrar == "Gname.com Pte. Ltd." and rr.domain is not None
]
Once we have the finalized list, analysts can use the SDK to store these indicators back in a project or store them locally in their own cache. For the full list of indicators we uncovered with our tracking, please visit our indicators repository here. The full script is available here.
Conclusion
We’ve been using this script in a cron job to maintain a large-scale project tracking this campaign. We designed the SDK to support bulk enrichment workflows, making it easier to run secondary and tertiary checks before taking action on final candidate indicators. The Python SDK is available in beta and is open source. We’d love feedback from analysts and developers who use it in their own enrichment and monitoring workflows.